200/005 



I claim: 

1. A method for controlling access to a multicast 
group in a data communication network, comprising: 

5 providing a second node for transmitting data traffic 

between a first node and a router; and 

verifying by the second node that the first node is 
authorized to access a multicast group before transmitting 
to the first node data traffic from the router addressed to 
10 the multicast group. 

2. The method of claim 1, wherein the verification 
includes authenticating the first node, 

3. The method of claim 2, wherein the verification 
further includes determining a multicast group 

15 authorization associated with the first node in connection 
with the authentication. 

4. The method of claim 1, wherein the verification 
includes authenticating a user on the first node. 

5. The method of claim 4, wherein the verification 
20 further includes determining a multicast group 

authorization associated with the first node in connection 
with the authentication. 

6. The method of claim 1, wherein the verification 
includes determining whether a multicast group in a message 
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received from the first node is in conformance with a 
multicast group authorization associated with the first 
node. 

7. The method of claim 1, wherein the verification 
includes determining whether a multicast group in a message 
received from the router is in conformance with a multicast 
group authorization associated with the first node, 

8. A method for controlling access to a multicast 
group in a data communication network, comprising: 

receiving an IGMP membership report from an end 
station; 

determining whether a multicast group in the IGMP 
membership report conforms with a multicast group 
authorization associated with the end station; and 

inhibiting the end station from joining the multicast 
group if the multicast group fails to conform with the 
multicast group authorization. 

9. The method of claim 8, further comprising 
receiving the multicast group authorization in response to 
verification of a credential submitted by the end station. 

10. The method of claim 9, wherein the credential is 
a user credential. 

11. The method of claim 8, wherein the association of 
the multicast group authorization with the end station is 



20 



200/005 

inferred from an association of the multicast group 
authorization with a port through which the end station is 
known to access the network. 

12. The method of claim 8, wherein the receiving, 
determining and inhibiting steps are performed on a LAN 
switch interposed between the end station and a router. 

13. The method of claim 8, wherein the multicast 
group corresponds to an IP Multicast data stream. 

14. A method for controlling access to a multicast 
group in a data communication network, comprising: 

receiving a CGMP join message from a router regarding 
an end station; 

determining whether a multicast group in the CGMP join 
message conforms with a multicast group authorization 
associated with the end station; and 

inhibiting the end station from receiving traffic 
addressed to the multicast group if the multicast group 
fails to conform with the multicast group authorization. 

15. The method of claim 14, further comprising 
receiving the multicast group authorization in response to 
verification of a credential submitted by the end station. 

16. The method of claim 15, wherein the credential is 
a user credential. 
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17. The method of claim 14, wherein the association 
of the multicast group authorization with the end station 
is inferred from an association of the multicast group 
authorization with a port through which the end station is 
5 known to access the network. 

18 • The method of claim 14, wherein the receiving, 
determining and inhibiting steps are performed on a LAN 
switch interposed between the end station and a router. 

19. The method of claim 14, wherein the multicast 
10 group corresponds to an IP Multicast data stream. 

20. A LAN switch, comprising: 

a port for receiving a membership report from an end 
station; and 

a switch manager for receiving the membership report 
15 from the port, for detemining whether a multicast group in 
the membership report conforms with a multicast group 
authorization associated with the end station and for 
inhibiting the end station from joining the multicast group 
if the multicast group fails to conform with the multicast 
20 group authorization. 

21- The switch of claim 20, wherein the switch 
manager receives the multicast group authorization from an 
authentication server in response to verification by the 



22 



200/005 

authentication server of a credential submitted by the end 
station. 

22, The switch of claim 21 , wherein the credential is 
a user credential. 
5 23. The switch of claim 20^ wherein the association 

of the multicast group authorization with the end station 
is inferred from an association of the multicast group 
authorization with the port. 

24. A LAN switch, comprising: 

10 a port for receiving a join message from a router 

regarding an end station; and 

a switch manager for receiving the join message from 
the port, for determining whether a multicast group in the 
join message conforms with a multicast group authorization 

15 associated with the end station and for inhibiting the end 
station from receiving traffic addressed to the multicast 
group if the multicast group fails to conform with the 
multicast group authorization. 

25. The switch of claim 24, wherein the switch 
20 manager receives the multicast group authorization from an 

authentication server in response to verification by the 
authentication server of a credential submitted by the end 
station. 
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26. The switch of claim 24, wherein the credential is 
a user credential. 

27. The switch of claim 24, wherein the association 
of the multicast group authorization with the end station 
is inferred from an association of the multicast group 
authorization with a port through which the end station is 
known to access traffic from the router. 
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